How to train new grads on corporate security

Millennials bring a lot to the workplace, whether they're pushing the boundaries of company culture or forcing companies to modernize. But there are a few risks associated with hiring recent grads -- especially if it's their first job in the industry -- and one of those risks is data security.

In a recent study from the Ponemon Institute in partnership with Experian, which surveyed over 16,000 people at companies with data protection and privacy training programs, 66 percent of respondents cited employees as the biggest security threat to their company. And 55 percent said that their organization had, at some point, experienced a "security incident or data breach due to a malicious or negligent employee," according to the report.

With new grads entering the workforce, it's time to make your security policies a priority in the hiring and onboarding process. According to David Wagner, CEO of ZixCorp and Brandon Rogers, Senior Vice President of Product Strategy and Operations at Blue Coat, companies need to take a multi-step approach to help prevent their employees -- especially new hires -- from becoming their biggest security threat.

Strike a balance

One of the biggest reasons employees try to skirt security measures is to save time and be more productive. It's great that they want to be more effective and productive, but if they're using tools outside the eyes of IT, sensitive data could be put at risk. Business leaders need to find a way to encourage a modern environment without sacrificing some level of regulation over corporate data and security measures. "I view this like a university or academic environment. How do you make the [office] a highly collaborative, fun and easy place to get things done -- a 'great place to work' -- and balance that with the control requirements to protect your IP, PHI, PII and other customer-centric data?" says Rogers.

Millennials are accustomed to using intuitive hardware and software aimed at making their lives easier. And it's not just millennials who reach for third-party options if the in-house services IT offers are too slow -- sometimes entire departments will bypass IT in order to get the tools they need. Rogers points to a Blue Coat study that found 40 percent of IT spending fell outside of IT, and that it was a result of employees choosing to find alternative solutions when the available resources from IT didn't live up to their expectations.

Businesses need to find a way to secure corporate data without driving employees to seek alternative apps and programs. "Many corporate environments may feel cumbersome and slow for these 'digital natives' to work within, and their expectation of convenience simply may be at odds with the needs of the organization's security," says Rogers.

And that opens up a world of security issues, since IT might not even know all of the third-party tools that are used across the company, or the threats they may pose. Organizations need to take digital transformation seriously to prevent this type of employee behavior, says Rogers. It's crucial to evaluate your current technology, to get a sense of what employees are looking for in work-related apps and services and then to find a way to deliver those tools without compromising security.

Security onboarding

Your employees are the most engaged during the first six months at a new job, according to research from Gallup, but after the honeymoon stage, engagement swiftly drops off. It's important to instill a sense of cybersecurity awareness in your employees within their first few months on the job. The longer you wait, the less likely they will be to fully comprehend the importance of enterprise security. The onboarding stage is a great time to layout your business' overall mission as well as any policies around BYOD, confidentiality and security.

You also want to make sure that employees value the company's data and assets -- it's naïve to expect that they'll show up on their first day completely comprehending the value of corporate data and resources. Rather, Rogers says you need to encourage a sense of ownership in employees -- especially new hires -- so that they feel just as eager to protect those assets as someone more senior.

"If an employee is interacting with a critical database containing personal information of customers, he or she should be well-versed in the potential ramifications both in terms of ruin and regulation that the exposure of that data could have. Once a user understands the criticality of the assets they are working with, he or she are generally more cautious within how they use it," he says.

One way to ensure your employees actually retain the information they're taught in training is to make it entertaining and interesting. Wagner says to avoid "long, comprehensive courses," noting that these can make your employees feel tired, drained and worn out. Instead, he suggests rolling out security training sessions in "bite-size chunks," so employees remain engaged. And regular internal testing can help ensure employees are still up to date on security.

Don't make assumptions

Just because your millennial hires are considered "digital natives," it doesn't mean you should automatically assume they're also tech-savvy. A study from Raytheon and the National Cyber Security Alliance found that, for the most part, millennials are overconfident in their cybersecurity skills. Results showed that 66 percent of respondents had connected to a password-free public Wi-Fi within the last month, the same percentage also admitted to not updating their operating system or browser; 23 percent said they shared a password with a non-family member within the last year and 20 percent had never changed their online banking password.

Similarly, Wagner points to a survey from Software Advice that found millennials are the worst when it comes to password security -- 85 percent said they use the same login credentials for multiple sites, and they're the group most likely to use security workarounds. Over half admitted that it's likely they'd make an effort to avoid any restrictive work-place controls and the demographic showed the riskiest behavior compared to other generations.

And part of that, says Wagner, is because your newest employees, for the most part, haven't worked in an environment where anything besides their personal cybersecurity mattered. Ultimately, while these new grads might understand how to protect their own smartphone or notebook, chance are that they haven't encountered phishing attacks or have had a need to encrypt confidential corporate data. So just because your youngest workers might seem adept at technology, remember that most of them haven't had to translate that knowledge in a corporate environment.

"While younger users may be more technologically progressive with regard to their ability to interact with computing devices and environments, this does not equate to their proficiency or concern over security. User education, across all generations, is more important now than ever before," says Rogers.

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.